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In this paper we present a compositional semantics for the channel-based coordination language 
Reo which enables the analysis of quality of service (QoS) properties of service compositions. For 
this purpose, we annotate Reo channels with stochastic delay rates and explicitly model data-aiTival 
rates at the boundary of a connector, to capture its interaction with the services that comprise its 
environment. We propose Stochastic Reo automata as an extension of Reo automata, in order to 
compositionally derive a QoS-aware semantics for Reo. We further present a translation of Stochastic 
Reo automata to Continuous-Time Markov Chains (CTMCs). This translation enables us to use third- 
party CTMC verification tools to do an end-to-end performance analysis of service compositions. 



1 Introduction 



In service-oriented computing (SOC), complex distributed applications are built by composing existing 
- often third-party - services using additional coordination mechanisms, such as workflow engines, 
component connectors, or tailor-made glue code. Due to the high degree of heterogeneity and the fact 
that the owner of the application is not necessarily the owner of its building blocks, issues involving 
quality of service (QoS) properties become increasingly entangled. Even if the QoS properties of every 
individual service and connector are known, it is far from trivial to determine and reason about the end- 
to-end QoS of a composed system in its application context. Yet, the end-to-end QoS of a composed 
service is often as important as its functional properties in determining its viability in its market. 

Reo f2l, a channel -based coordination language, supports the composition of services, and typically, 
its semantics is given by Constraint Automata (CA) Uj. However, CA do not account for the QoS prop- 
erties and cannot capture the context-dependency |[T1 of Reo connectors. To capture context-dependency, 
Reo automata were introduced in [3|, but they still do not account for the QoS properties. Quantitative 
Intentional Automata (QIA) were proposed in [4] to account for the end-to-end QoS properties of a Reo 
connector, but no formal results are readily available on their compositionality. 

As our contribution, we present Stochastic Reo automata to overcome the shortcomings of CA and 
QIA, mentioned above: a compositional semantic model for reasoning about the end-to-end QoS prop- 
erties, as well as handling the context-dependency of Reo connectors. We show that the compositional- 
ity results of Reo automata extend to Stochastic Reo automata. We present a translation of Stochastic 
Reo automata to Continuous-Time Markov Chains (CTMCs). This allows the use of third-party tools 
for stochastic analysis. Therefore, this paper shows a compositional approach for constructing Markov 
Chain (MC) models of complex composite systems, using Stochastic Reo automata as an intermediate 
model. In other words. Stochastic Reo automata provides a compositional framework wherein the corre- 
sponding CTMC model of a connector can be derived. This approach, thus, constitutes a compositional 
framework for modeling and analysis of the QoS properties of complex systems, where our translation 
derives a CTMC model for complex systems for subsequent analysis by other tools. 
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2 Overview of Reo 

Reo is a channel-based coordination model wherein so-called connectors are used to coordinate, i.e., 
control the communication among, components or services exogenously (from outside of those compo- 
nents and services). In Reo, complex connectors are compositionally built out of primitive channels. 
Channels are atomic connectors with exactly two ends, which can be either source or sink ends. Source 
ends accept data into, and sink ends dispense data out of their respective channels. Reo allows channels 
to be undirected, i.e., to have respectively two source or two sink ends. 

a b a ha ha b 

• X • >• • 1 >• • > < • 



Sync LossySync FIFOl SyncDrain 

Figure 1 : Some basic Reo channels 

Figure [T] shows the graphical representations of some basic channel types. The Sync channel is a 
directed, unbuffered channel that synchronously reads data items from its source end and writes them 
to its sink end. The LossySync channel behaves similarly, except that it does not block if the party at 
the sink end is not ready to receive data. Instead, it just loses the data item. FIFOl is an asynchronous 
channel with a buffer of size one. The SyncDrain channel differs from the other channels in that it has 
two source ends (and no sink end). If there is data available at both ends, this channel consumes (and 
loses) both data items synchronously. 

Channels can be joined together using nodes. A node can have one of three types: source, sink or 
mixed node, depending on whether all ends that coincide on the node are source ends, sink ends or a 
combination of both. Source and sink nodes, called boundary nodes, form the boundary of a connector, 
allowing interaction with its environment. Source nodes act as synchronous replicators, and sink nodes 
as mergers. A mixed node combines both behaviors by atomically consuming a data item from one sink 
end and replicating it to all of its source ends. 

An example connector is depicted in Figure |2] It reads a data item from a, buffers it in a FIFOl and 
writes it to d. The connector loses data items from a if and only if the FIFOl buffer is already full. This 
construct is therefore called (overflow) LossyFIFOl. 

a he d 

, ^, ^ ^, 



Figure 2: Example connector: LossyFIFOl 



2.1 Semantics: Reo automata 

In this section, we recall Reo automata, an automata model that provides a compositional operational 
semantics for Reo connectors. Intuitively, a Reo automaton is a non-deterministic automaton whose 
transitions have labels of the form g\f, where g is a guard (boolean condition) and / a set of nodes that 
fire synchronously. A transition can be taken only when its guard g is true. 

We recall some facts about Boolean algebras. Let £ = {0\ , . . . , Ok] be a set of symbols that denote 
names of connector ports, a be the negation of a, and 'Bz be the free Boolean algebra generated by the 
following grammar: 

? ::= aell Tl ^\g\Jg\ghg\g 



Y.J. Moon, A. Silva, C. Krause, F. Arbab 



95 



ab\ab 




Sync 



LossySync 



SyncDrain 



FIFOl 



Figure 3: Automata for basic Reo channels 



We refer to the elements of the above grammar as guards and in its representation we frequently omit 
A and write gig2 instead of g\ Ag2- Given two guards gi,g2 G 'Sz, we define a (natural) order < as 
g\ < g2 <^=^ gi ^g2 = g\- The intended interpretation of < is logical implication: ^i implies g2. An 
atom of 23s is a guard ai ...a^ such that a,- G £ U £ with £ = {a,- | cr, G £}, 1 < / < ^. We can think of 
an atom as a truth assignment. We denote atoms by Greek letters a, j8, . . . and the set of all atoms of 
Tiz by Ati;. Given 5 C £, we define 5 G Sj; as the conjunction of all elements of S. For instance, for 
S = {a,b,c} we have S = abc. 

Definition 1 /H/ A Reo automaton is a triple (£, Q, 5) where £ is the set of nodes, Q is the set of states, 
5 (^Qx "Bz x2^ X Q is the transition relation such that for each q — > q' G 5: 



(i)g<f 



g"\f 



(ii)yg<g'<f-ya<g'-3q^q'e5- a<g" 



(reactivity) 
(uniformity) 



In Reo automata, for simplicity we abstract data constraints m and assume they are true. We use 

g\f 
arrows q — > q' for {q,g,f,q') G 5. If there is more than one transition from state q to q' we often just 

draw one arrow and separate their labels by commas. In Figure |3] we depict the Reo automata for the 

basic channel types listed in Figure [T] 

g\f 
Intuitively, every transition q — > q' in an automaton corresponding to a Reo connector represents 

that, if the connector is in state q and the boundary requests present at the moment, encoded by an atom a, 

are such that cc <g, then the nodes / fires and the connector evolves to state q'. Each transition labeled by 

g\f satisfies two criteria: (i) reactivity — data flows only on nodes where a request is pending, capturing 

Reo's interaction model; and (ii) uniformity — which captures two properties, firstly, that the request 

set corresponding precisely to the firing set is sufficient to cause firing, and secondly, that removing 

additional unfired requests from a transition will not affect the (firing) behavior of the connector |^. 



2.1.1 Composing Reo connectors 

We now model at the automata level the composition of Reo connectors. We define two operations: 
product, which puts two connectors in parallel, and synchronization, which models the plugging of two 
nodes. Thus, the product and synchronization operations can be used to obtain the automaton of a Reo 
connector by composing the automata of its primitive connectors. Later in this section we formally show 
the compositionality of the operations. 

We first define the product operation for Reo automata. This definition differs from the classical 
definition of (synchronous) product for automata: our automata have disjoint alphabets and they can 
either take steps together or independently. In the latter case the composite transition in the product 
automaton explicitly encodes that one of the two automata cannot perform a step in the current state, 
using the following notion: 
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Definition 2 fT] Given a Reo automaton A = (Z, 2, 5) and q £ Qwe define 

This captures precisely that A cannot fire in state q. 

Definition 3 [3] Given two Reo automata A\ = {L\,Q\,8i) andA2 = (£2,22,52) such that 1,1 01,2 = 0, 
we define ;/je product ofAi and A2 as Ai x yi2 = (Zi ur2,2i x 22,5) where 5 consists of: 



{{q^p) 

U {{q:P. 
U {{q:P. 



w 



gp 



{q',p')\q^q'ediAp'Xp'ed2} 
{q',p)\qXq'€5iAp£Q2} 



8t\f 



g\f. 



p' e52Aq£Qi} 



Here and throughout, we use //' as a shorthand for /U/'. The first term in the union, above, applies when 
both automata fire in parallel. The other terms apply when one automaton fires and the other is unable 
to (given by p^ and q\ respectively). Note that the product operation is closed for Reo automata, since it 
preserves reactivity and uniformity tSJ. Figure |4] shows an example of the product of two automata. 



abc\ab 




abd\abd 

abd\ad 

ad\d 



ad\ad 
ad\d 



Figure 4: Product of LossySync and FIFOl and its synchronization of nodes b and c 

We now define a synchronization operation that corresponds to joining two nodes in a Reo connector. 
In order for this operation to be well-defined we need that every guard in a transition label in the automata 
is a conjunction of literals. Note that in the automata presented in Figure [3] for basic Reo channels this is 
already the case, and moreover, it is always possible to transform any guard g into this form, by taking 
its disjunctive normal form (DNF) gi V . . . Vgi and splitting the transition g\f into the several gi\f, for 
/ = \,. . .,k. Given a transition relation 8 we call norm{5) the normalized transition relation obtained 
from 5 by putting all its guards in DNF and splitting the transitions as explained above. 

When synchronizing two nodes a and b (which ai^e then made internal), in the resulting automaton, 
only the transitions where either both a and b or neither a nor b fire are kept — that is, a and b synchro- 
nize. In order to propagate context information (requests), we require that every guard contains either a 
or b, expressed by the condition g ^ab below, which more or less corresponds to an internal node acting 
like a self-contained pumping station [ 2 ] , meaning that an internal node cannot store data or actively 
block behavior. 

Definition 4 [3] Given a Reo automaton A = {L,Q,5), we define the synchronization /or a,b ^L as 

da,b-^ = (^, 2, S') where 

o = \q — -> q \q — >q ^norm(O) s.t. g %ab and a ^ j -^ b ^ j\ 
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Here and throughout, g\ab is the guard obtained from g by deleting all occurrences of a and b. It is worth 
noting that synchronization preserves reactivity and uniformity. 

Figure|4]depicts the product of LossySync and Fl FOl, together with the result of synchronizing nodes 
b and c. This synchronized result provides the semantics for the LossyFIFOl example in Figure|2] 

2.1.2 Compositionality 

Given two Reo automata A\ and A2 over the disjoint alphabets Zi and II2, {fl'i, • • .,a/t} ^ Zj and 
{bi,. .., bk] ^ £2 we construct ^q, fo, 5a2,fo2 ' ' ' ^a*&<r (-^i ^ -^2) as the automaton corresponding to a con- 
nector where node a, of the first connector is connected to node bi of the second connector, for all 
/ G {1, . . . ,/:}. Note that the 'plugging' order does not matter because d is commutative and it interacts 
well with product. These properties are captured in the following lemma. 

Lemma 1 ^ For the Reo automata A\ = {L\,Q\.,5\) and A2 = {^2-,Q2-:52): 

1- da.bdc.dAi = dc.dda^b-^u ifa,b,c,d G Ly. 

2. (da^h-Al) X yi2 ~ daM{Al X ^12), ifa,b ^ £2 

The notion of equivalence ~ used above is bisimulation, defined as follows. 

Definition 5 /2]/ Given the Reo automata A\ = (£, 2i , 5i ) and A2 = (£, Q2^^), we call R^Q\ >i Q2 
a bisimulation iff for all {q\ , ^2) G R- 

s\f s'\f 

Ifqi — > q[ G di and a G Ati:, CC < g, then there exists a transition q2 — > q'2^ ^ such that CC < g' 

and {q\ ^c^-^) G /? and vice-versa. 

We say that two states q\ G Q\ and ^2 G Q2 are bisimilar if there exists a bisimulation relation containing 
the pair (^1 , ^2) and we write q\ ~ ^2- Two automata ^li and yi2 are bisimilar, written A\ ~ yi2, if there 
exists a bisimulation relation such that every state of one automaton is related to some state of the other 
automaton. 

3 Stochastic Reo 

Stochastic Reo is an extension of Reo where channel ends and channels are annotated with stochastic 
values for data arrival rates at channel ends and processing delay rates at channels. Such rates are non- 
negative real values and describe how the probability that an event occurs varies with time. Figure [5] 
shows the stochastic versions of the primitive Reo channels in Figure [T] Here and throughout, for sim- 
plicity, we omit the node names, since they can be inferred from the names of their respective arrival 
rates: for instance, ja is the arrival rate of node a. 

yab yah yab JaF yFb 

-CD- 



ya yb fa )"''• yb 7" yb J" yb 

Figure 5: Basic Stochastic Reo channels 

A processing delay rate represents how long it takes for a channel to perform a certain activity, such 
as data-flow. For instance, a LossySync has two associated rates yab and yah for, respectively, successful 
data-flow from node a to node b, and losing the data item from node a. In a FIFOl yaF represents the 
delay for data-flow from its source a into the buffer, and yFb for sending the data from the buffer to the 
sink b. 



98 



A Compositional Semantics for Stochastic Reo Connectors 



Arrival rates describe the time between consecutive arrivals of I/O requests at the source and sink 
nodes of Reo connectors. For instance, ja and yb in Figure|5]are the associated arrival rates of write/take 
requests at the nodes a and b. 

Since arrival rates on nodes model their interaction with the environment only, mixed nodes have no 
associated arrival rates. This is justified by the fact that a mixed node delivers data items instantaneously 
to the source end(s) of its connected channel(s). Hence, when joining a source with a sink node into a 
mixed node, their arrival rates are discardecQ 

A stochastic version of the LossyFIFOl is depicted in Figure |6j including its arrival and processing 
delay rates. 



Jab 
yaL 



ycF 



-C3- 



yFd 



yd 



Figure 6: Stochastic LossyFIFOl 



3.1 Semantics: Stochastic Reo automata 

In this section, we provide a compositional semantics for Stochastic Reo connectors, as an extension of 
Reo automata with functions that assign stochastic values for data-flows and I/O request arrivals. 

Definition 6 A Stochastic Reo automaton is a triple (yi,r,t) where A = (Z, Q, 5ji) is a Reo automaton 
and 



• r:! 



is a function that associates with each node its arrival rate. 



• t : 5/1 — )• 2 is a function that associates with a transition a subset o/0 C 2 x 2 x M+ such that 
each (1, 0,r) G corresponds to a data-flow where I is a set of input and/or mixed nodes; O is a 
set of output and/or mixed nodes and r is a processing delay rate for the data-flow. 



The Stochastic Reo automata corresponding to the LossySync and FIFOl in Figure |6]are defined by the 
functions r and t shown in Table [T] Note that the function t is depicted in the transition, and function r is 
shown by a table.". 



ab\ab, {{{a},{b},yab)} 
ab\a, {({fl},0, yaL)} 





r 


a 
b 


ya 
yb 



c|c, {({c},0,7cF)} 
d\d,{{^M},YFd)} 





r 


c 

d 


yc 
yd 



Table 1: Stochastic Reo automaton for LossySync and FIFOl 



An element of G is accessed by projection functions / : — )• 2^, o : — )■ 2^ and v : 



p+- 



i{d) and o{G) return, respectively, relevant input and output nodes of a data-flow, and v{6) returns the 
delay rate of a data-flow through nodes in i{d) and o{d). 

'For simplicity, we assume ideal nodes whose activity incurs no delay. Any real implementation of a node, of course, 
induces some processing delay rate. A real node can be modeled as a composition of an ideal node with a Sync channel that 
manifests the processing delay rate. Thus, we can associate delay distributions with Stochastic Reo nodes and automatically 
translate them into such "Sync plus ideal node" constructs . 
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g\f 
q > 

g\f. 



e'\f' 



^Ut2ip'Xp') 



Definition 7 Given two Stochastic Reo automata (yii,ri,ti) and {A2, 1^2,^2), their product is defined as 

(yii,ri,ti) X (yi2,r2,t2) = (^1 xyi2,ri Ur2,t) where 

t{ig,p)''^' iq',p'))=U( 

t{{q,p) ^ {q\p))=ti{q 

g'lf 
t{{q,p) — > {q,p')) 

Note that we use x to denote both the product of Reo automata and the product of Stochastic Reo 
automata. 

The set of 3-tuples that t associates with a transition m represents the composition of the delay rates 
involved in all data-flows synchronized by the transition m. In order to keep Stochastic Reo automata 
generally useful and compositional, and their product commutative, we avoid fixing the precise formal 
meaning of distribution rates of synchronized transitions composed in a product; instead, we present the 
"delay rate" of their composite transition in the product automaton as the union of the delay rates of the 
synchronizing transitions of the two automata. How exactly these rates combine to yield the composite 
rate of the transition depends on different properties of the distributions and their time ranges. For 
example, in the continuous-time case, no two events can occur at the same time; whereas the exponential 
distributions are not closed under taking maximum. In Section [4] we show how to translate a Stochastic 
Reo automaton to a CTMC by the union of rates of the exponential distribution in the continuous-time 
case. 

Definition 8 For a Stochastic Reo automaton {A,r,t), the synchronization operation on nodes a and b 
is defined as da^b{A,r^t) = {da,bA.y ,i') where 

• r' is r restricted to the domain E\ {a,^?}. 

• t' is defined as: 



i{q \ q 



g\f 



{{A',B',r)\{A,B,r)Gt{q—^q 

A' = sync {A, {a, b}) A B' = sync{B,{a,b}) } 



sync : 2^ X 2^ —7- 2^ gathers nodes joined by synchronization, and is defined as: 



sync {A, B) 



AUB 
A 



ifAnB^(d 
otherwise 



Note that we use the symbol d^^t to denote both the synchronization of Reo automata and the synchro- 
nization of Stochastic Reo automata. 

We now revisit the LossyFIFOl example. Its semantics is given by the triple (yiio„yf/foi,r,t), where 
A-LossyFiFOi IS the automaton depicted in Figure Hand r is defined as r = {a 1— )• 7a,(i 1— )• yd}. For t, we 

first compute tiossySyncxFIFOl- 

abc\ab, 01 abclabc, ©3 ^^^|^^^ ©^ 

abc\a, ©2 abc\ac, ©4 abd|a, ©2 

ca\c, ©5 




abd\abd, ©g 

abd|ad, ©7 

dald, ©8 



©1 


{{{a},{b},Yab)} 


©2 


{(M,0,7«i)} 


©3 


{{{a},{b},Yab),i{c},<d,ycF)} 


©4 


{{{a},(d,YaL),{{c},(!>,rcF)} 


©5 


{{{c},(S,rcF)} 


©6 


{i{a},{b},yab),i<d,{d},yFd)} 


©7 


{{{a},(l>,YaL),{(i,{d},YFd)} 


©8 


m{d},rFd)} 
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Above, the labels that correspond to the transitions that will be kept after synchronization appear in bold. 
Thus, the result of joining nodes by synchronization, is shown in Figure|7]as: 

a\a 
{{{a},{h,c},Yab),{{h,c},(ll,rcF)} 



ad\a, {{{a},Q),YaL )} 

ad\ad, {({a},0,7aL),(0,{J},7FJ)} 
da\d, m{d},rFd)} 

Figure 7: Stochastic Reo automaton for LossyFIFOl 

Note that the port names that appear in bold represent the synchronization of nodes b and c. 

In this way, we can carry in the semantic model of Reo circuits, given as Reo automata, stochastic 
information, i.e., arrival rates and processing delay rates that pertain to its QoS. 

Definition [6] shows that our extension of Reo automata deals with such stochastic information sepa- 
rately, apart from the underlying Reo automaton. Thus, our extended model retains the properties of Reo 
automata, i.e., the compositionality result presented in Section 2.1.2 can be extended to Stochastic Reo 
automata: 

Lemma 2 For two disjoint Stochastic Reo automata (^i,ri,ti) and (>l2,r2,t2) with A\ = {JL,Q\,5\) 
andA2 = (^,02,^), 

1- da^bdc,d{Ai,ri,ii) = dc4da.h{A]_,ri,ii), ifa,b,c,d£Li 

2. {da,h{-^i,ri,ti)) X (yi2,r2,t2) ~ da^h{{^i,ri,ti) x ('/l-2,r2,t2)), ifa,b^ £2 

Here (yii,ri,ti) ~ ('A2,r2,t2) if and only if yii ~ yi2, ri = r2 and ti = t2. Because of space limitation, 
we leave the proof of this lemma for an extended version of this paper 

4 Translation to CTMC 

In this section, we show how to translate a Stochastic Reo automaton into a homogeneous CTMC model. 
A homogeneous CTMC is a stochastic process with 1) homogeneity, 2) memoryless/Markov property, 
and 3) discrete state space in the continuous-time domain II 19 1 . These properties yield efficient method- 
ologies for numerical analysis. 

In the continuous-time domain, the exponential distribution is the only one that satisfies the memo- 
ryless property. Therefore, for the translation, we assume that the rates of data-arrivals and data-flows 
are exponentially distributed. 

A CTMC model derived from a Stochastic Reo automaton (yi,r,t) with A = {L,Q,5ji) is a pair 
{S, 5) where S = Sa^Sm i& the set of states. Sa represents the configurations of the system derived from 
its Reo automaton and the pending status of I/O requests; Sm is the set of states that result from the 
micro-step division of synchronous actions (see below). 5 = SAn-^Sproc C 5 x M+ x S, explained below, 
is the set of transitions, each labeled with a stochastic value specifying the arrival or the processing delay 
rate of the transition. Sah- and Spmc are defined in Section 4.3. 

A state in S models a configuration of the connector, including the presence of the I/O requests 
pending on its boundary nodes, if any. Data-arrivals change system configuration only by changing 



Y.J. Moon, A. Silva, C. Krause, F. Arbab 101 

the pending status of their respective boundary nodes. Data-flows corresponding to a transition of a 
Reo automaton change the system configuration, and release the pending 1/0 requests on its involved 
boundary nodes. 

In a CTMC model, the probability that two events (e.g., the arrival of an 1/0 request, the transfer of 
a data item, a processing step, etc.) happen at the same time is zero: only a single event occurs at a time. 
In compliance with this requirement, for a Stochastic Reo automaton (yi,r,t) with A = (£, Q, 5a) and a 
set of boundary nodes £' C £, the set Sa and the preliminary set of data-arrival transitions of the CTMC 
derived for (yi,r,t) are defined as: 

Sa = {{q,R)\q£Q,R^L'} 

SL = {{q,R)'-^{q,RU{c})\{q,R),{q,RU{c})C^SA,c(^R} 



The set 5L,, is used in Section 4.3 to define 5Arr- 



4.1 Micro-step transitions 

The CTMC transitions associated with data-flows are more complicated since groups of synchronized 
data-flows are modeled as a single transition in a Reo automaton. Therefore, we need to divide such 
synchronized data-flows into so-called micro-step transitions, respecting the connection information, 
i.e., the topology of a Reo connector. 

The connection information can be recovered from the 3-tuples associated with each transition in 
a Reo automaton since the first and the second elements of a 3-tuple describe the input and the output 
nodes, respectively, involved in the data-flow of its transition, and the data-flow in the transition occurs 
from its input to its output nodes. 

For example, the transition {q,e) — > {q,f) in the Reo automaton of the LossyFIFOl example in 
Figure Ivlhas a set of the 3-tuples {{{a},{b,c},Yab), {{b,c},d,YcF)}. The connection information in- 
ferred from this set states that data-flow occurs from a to the buffer through b and c. The transition is 
thus divided into two consecutive micro-step transitions {{a},{b,c},Yab) and {{b,c},Q,YcF). 

Such data-flow information of each transition in a Reo automaton is formalized by a delay-sequence 
defined by the following grammar: 

A9 A ::=£ I I A|A | X;X 

where e is the empty sequence and is a 3-tuple {l,0,r) for a primitive Reo channel. A|A denotes 
parallel composition, and A; A denotes sequential composition. The empty sequence e is an identity 
element for ; and | , | is commutative, associative, and idempotent, ; is associative and distributes over | . 

4.2 Extracting delay-sequences 

The delay-sequence corresponding to a set of 3-tuples associated with a transition in a Stochastic Reo 
automaton is obtained by Algorithm |4.2[ 1. Note that if the parameter of the function Ext is a singleton, 
then Ext({0}) = d since i{d)no{d) = 0. 

Intuitively, the Ext function delineates the set of activities that - at the level of a Stochastic Reo 
automaton - must happen synchronously/atomically, into corresponding delay-sequences. If a certain 
data-flow associated with a 3-tuple di explicitly precedes another one 62, then di is sequenced before 62, 
i.e., encoded as di ; 62- Otherwise, they can occur in any order, encoded as di \ 62- 
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Algorithm 4.2.1 Extraction of a delay-sequence out of a set of 3-tuples 

g\f 
Ext(0) where & = t{p — > q) 

S = e, toGo = 0, Init := {0 G I i{e)r\o{e') = for all d' G 0} 
for d e Init do 

Xe := e, Pre := {0}, toGo := toGo\Pre 

Post = {0 e toGo I 30' G Pre s.t. o(0') n /(0) / 0} 

while Post / do 

X' := (0i| • • -10^) where Post = {0i, • • • , 0J 
Xq :=Xq;X', Pre.= Post, toGo := toGo\Pre 
Post := {0 G ?oGo I 3d' G Pre 5.f . o{d')ni{d) / 0} 
end whUe 
S:=S\Xg 
end for 
return S 



Applying Algorithm 4.2 1 to the LossyFIFOl example yields the following result: 

a\a, Ai 

a, A2 




ac/|at/, A3 
fl(^|fif, A4 



Ai: 


({fl},{fe,c},7fl/7);({/7,c},0,7cF) 


A2: 


({fl},0,7flL) 


A3: 


({fl},0,7fli)|(0,M,7^«') 


A4: 


(0,{4,7^«') 



The parameter of Algorithm 4.2 1 is a finite set of 3-tuples, and Init, Post and toGo, subsets of 0, 



are also finite. Moreover, Post becomes eventually since toGo decreases during the procedure. Thus, 



we can conclude that Algorithm 4.2 1 always terminates. 



4.3 Deriving the CTMC 

We now show how to derive the transitions in the CTMC model from the transitions in a stochastic Reo 
automaton. We do this in two steps: 

1. For each transition p — > q ^ 5ji, we derive transitions {p,R) — > {q,R\f) for every set of 

pending requests R that suffices to activate the guard g (^ < g \ £), where X is the delay-sequence 

g\f 
associated with the set of 3-tuples t{p — > q). This set of derived transitions is defined below as 

OMacro ■ 

2. We divide a transition in Smucw labeled by X into a combination of micro-step transitions, each of 
which corresponds to a single event. 



The following figure briefly illustrates the procedure mentioned above: 
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A sequential delay-sequence X\ ; A2 allows for the events corresponding to X\ to occur before the ones 
corresponding to A2. For a parallel delay-sequence Ai | A2, events corresponding to Ai and A2 occur in an 
interleaving way, while they preserve their respective order of occurrence in Ai and A2. All indexed states 
Sn are included in Sm which consists of the states derived from the division of synchronized data-flows 
into micro-step transitions. 

Given a Stochastic Reo automaton {A,r,i) with A = {JL,Q,8j\) and a set of boundary nodes Z', a 
macro-step transition relation for the synchronized data-flows is defined as: 

5Macro = {{p,R) ^{q,R\f) \ p ^ q ^ Sji, R CL' , R < g\% X =Ext{t{p ^ q))} 

We explicate a macro-step transition with a number of micro-step transitions, each of which corre- 
sponds to a single data-flow. This refinement yields auxiliary states between the source and the target 
states of the macro-step transition. Let {p,R) be a source state for a data-flow corresponding to a 3-tuple 
6. Then the generated auxiliary states are defined as {pQ,R\nodes{d)) where pg is just a label denoting 
that data-flows corresponding to 6 have occurred, and the function nodes : A — ;■ 2^ is defined as: 

i{d)uo{d) ax = 6 

nodes{?ii)L)nodes{?i2) ifA=Ai;A2 VA=Ai|A2 

A 



nodes{X) - 
The set of such auxiUary states is obtained as Sm = states{{p,R) 



,R')) where 



states[[p,Rj — > [q,R jj = < A 

I \Jstates{m)\/m £ div{{p,R) — ; 

The function div : SMacw — ^ 2^'^""" is defined as: 



hR')) 



ifA = 
otherwise 



divi{p,R) ^ iq,R')) = < 



{ip,R) ^ iq,R')} 



ifA = e A ${p,R) A {p',R')£5, 



'Macro 



div{{p,R) ^ ipx„R"))^diviipx„R") ^ {q,R')) 

if A = Ai ; A2 where R" = R\ nodes {Xi 

{mi Mm2 I Mi £ div{{p,R) ^ iPx,,R")), i G {1,2}} 

if A = Ai I A2 where R" = R\ nodes{Xi] 
otherwise 





where the function CXI computes all interleaving compositions of the two transitions as: for every {p,R\) G 
states{s2 -^ s'2) and for every {p-jRi) G states{si — ^ s\) 



Si 



M S2 



02, 



s\ — > s. 



1x1 5'2 



ip,Ri) ' — > {pg^,Ri\nodes{ei)) {p^Ri) ^ — > {pg^,R2\ nodes {62)) 

The following example shows the application of the function div to a non-trivial delay-sequence, which 
contains a combination of sequential and parallel compositions. 
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Example 1 Consider the stochastic Reo connector below. Every indexed G is a rate for its respective 
processing activity, e.g., 62 is the rate at which the top-left FIFOl dispenses data through its sink end; 63 
is the rate at which the node replicates its coming data, etc. Pi and P2 show up in Smucw, derived from 
the Stochastic Reo automaton of this circuit, by two transitions with the delay-sequences of X\ and X2 
where: 

• from Pi: Aj = ((62; 03)1(08; 69)) ; (04|0io|0ii) 

• fromP2: A2 = (65; de) 




To derive a CTMC, Ai and X2 must be divided into micro-step transitions. We exemplify a few of these 
divisions. For X\_, the division of {B4\Bio\B\i) is trivial since it contains only simple parallel composi- 
tion. This division result is then appended to the division result of {Q2', 63) | {Q%', 69), which has the same 
structure as that 0/A2. Thus, we show below the division result 0/A2 only. 

In the following CTMC fragment, to depict which events have occurred up to a current state, the 
name of each state shows the delays of all the events that have occurred up to the current state. The 
delay for a newly occurring event is appended to the existing state name. 




This example shows that when a delay-sequence X is generated by parallel composition, the events 
in one of the sub-delay-sequences of X occur independently of the events in other sub-delay-sequences. 
Still they keep their occurrence order in the sub-delay-sequence that they belong to. ■ 

The division into micro-step transitions ensures that each transition has a single 3-tupIe in its label. 
Thus, the micro-step transitions can be extracted as: 



JProc 



{ip,R) 



v{9) 



{p',R') I {p,R) ^ {p',R') G div{t) for all t G dMacro} 



Synchronized data-flows in a Reo automaton are considered atomic, hence other events cannot in- 
terfere with them. However, splitting these data-flows allows non-interfering events to interleave with 
their micro-steps, disregarding the strict sense of their atomicity. For example, a certain boundary node 
unrelated to a group of synchronized data-flows can accept a data item between any two micro-steps. 
Since we want to allow such interleaving, we must explicitly add such data-arrivals. For a Stochastic 
Reo automaton (yi,r,t) with A = (Z, Q, 5yi) and a set of micro-step states Sm, its full set of data-arrival 
transitions, including its data-arrivals, is defined as: 



UArr 



d;,,,U{{p,R) "-^ {p,RU{d}) \ {p,R),{p,RU{d}) e Sm, d eZ, d ^ R} 
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The derived CTMC model can be used for stochastic analysis. For instance, Figure |9] is obtained 
from PRISM [ 17] using the CTMC model (see Figure |8]l derived from the Stochastic Reo circuit of the 
LossyFIFOl example in Figure [6] Figure |9] shows how the probability of data loss varies as the arrival 
rate at node a increases. 




Figure 8: Derived CTMC of LossyFIFOl 



The probability of data- lost at node a 




0_0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 t.O 4_5 5_0 



5 Related work 



Figure 9: Probability of data lost at node a 



The research in formal specification of systems with quantitative aspects encompasses a variety of devel- 
opments such as Stochastic Process Algebras (SPAs) [6], Stochastic Automata Networks (SANs) QUI, 
and Stochastic Petri nets (SPNs) ||9l[T0l. SPA is a model for both qualitative and quantitative specification 
and analysis with a compositional and hierarchical framework. It has algebraic laws (the so-called static 
laws) and expansion laws which express parallel compositions in terms of SPA operators. In SPA the 
interpretation of the parallel composition is a vexed one because it allows various interpretations such 
as Performance Evaluation Process Algebra (PEPA) ifTTl . and Extended Markovian Process Algebra 
(EMPA) |[T2l[T3]| . SPA describes 'how' each process behaves, while (Stochastic) Reo directly describes 
'whaf communication protocols connect and coordinate the processes in a system, in terms of primitive 
channels and their composition. Therefore, (Stochastic) Reo explicitly models the pure coordination and 
communication protocols including the impact of real communication networks on software systems and 
their interactions. Compared to SPA, our approach more naturally leads to a formulation using queueing 
models. 

SPN is widely used for modelling concurrency, synchronization, and precedence, and is conducive 
to both top-down and bottom-up modelling. Stochastic Reo shares the same properties with SPN and 
natively supports composition of synchrony and exclusion together with asynchrony. The topology of 
connectors in (Stochastic) Reo is inherently dynamic, and it accommodates mobility f2?|. Moreover, 
(Stochastic) Reo supports a liberal notion of channels and is more general than data-flow models and 
Petri nets, which can be viewed as specialized channel-based models that incorporate certain specific 
primitive coordination constructs. 
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SAN consists of a couple of stochastic automata that act independently. Thus, the state of SAN at 
time t is expressed by the states of each automaton at time t. The concept of a collection of individual 
automata helps modeling distributed and parallel systems more easily. The interactions in SAN are 
rather limited to patterns like synchronizing events or operating at different rates. Compared with the 
SAN approach, the expressiveness of (Stochastic) Reo makes it possible to model different interaction 
patterns involving both asynchronous and synchronous communications. 

Continuous-Time Constraint Automata (CCA) [20] are another stochastic extension of CA that sup- 
port reasoning about QoS aspects such as expected response times. CCA are close to Interactive Markov 
Chains (IMCs) lITOll . that is, they have two types of transitions called interactive transitions and Marko- 
vian transitions for, respectively, the immediate interaction with the environment and internal stochastic 
behaviors. The stochastic extension in CCA focuses on internal behavior of a connector, but does not 
take into account the arrivals of I/O requests at the ends of a connector as a stochastic process, which is 
required for reasoning about the end-to-end QoS of a system. 

6 Conclusions and Future work 

We introduced Stochastic Reo automata by extending Reo automata with functions that assign stochastic 
values of arrival rates and processing delay rates to boundary nodes and channels in Stochastic Reo. This 
model is very compact compared to the existing models, e.g., in Q. Various formal properties of our 
model are obtained, reusing the formal justifications of the various properties of Reo automata 131, such 
as compositionality. 

The technical core in this paper shows the complexity of the original problem whence it stems from: 
derivation of stochastic models for formal analysis of end-to-end QoS properties of systems composed 
of services/components supplied by disparate providers, in their user environments. This complexity 
highlights the gross inadequacy of informal, or one-off techniques and emphasizes the importance of 
formal approaches and sound models that can serve as the basis for automated tools. 

Stochastic Reo does not impose any restriction on the distribution of its annotated rates such as 
the rates for data-arrivals at channel ends or data-flows through channels. However, for translation of 
stochastic Reo to a homogeneous CTMC model, we considered only the exponential distributions for the 
rates. As future work, we also want to consider non-exponential distributions by considering phase-type 
distributions [14] or using Semi-Markov Processes 1 15| as target models of our translation. A simulation 
engine ll2ll . already integrated into our toolset. Eclipse Coordination Tools (ECT) lITSl environment, 
supports a wide variety of more general distributions for Stochastic Reo. In our future work, we will 
consider rewards of a system along with its stochastic behavior as well. Our translation result will 
thus become a CTMC model with reward information on its transitions and states, and can be fed into 
a stochastic analysis tool. We will also implement a tool for our translation approach via Stochastic 
Reo automata. It will be an extension of the existing tools in ECT, for instance, by implementing the 
synchronization in Stochastic Reo automata. Furthermore, as a case study, we are currently applying our 
method to an industrial application, the ASK system [161 . by modeling the system with Stochastic Reo 
and analyzing the CTMC derived from its resulting Stochastic Reo automaton model ||23]| . 
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